Checking for forbidden M4 macros…***Error***: some autoconf macros required to build gtkhtml2 were not found in your aclocal path, or some forbidden macros were found. Perhaps you need to adjust your ACLOCAL_FLAGS?

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

1. Set up your CA (you only have to do this once) ON THE LINUX BOX… * Create a private key

openssl genrsa -des3 -out CA.key 1024

(You’ll need to supply a passphrase. DON’T FORGET THIS!!)

* Set this to read-only for root for security

chmod 400 CA.key

* Create the CA certificate

openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

(Provide appropriate responses to the prompts…for Common Name, you might want to use something like “OurCompany CA”)

* Set the certificate to read-only for root for security

chmod 400 CA.crt

2. Obtain a CSR ON THE IIS BOX… * Open the Internet Manager * Select the site for which you want to create a key * Right-click and choose Properties * Select the “Directory Security” tab * Click the “Server Certificate” button * Follow the prompts to create a CSR * Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we’ll refer to your CSR as “new.csr”)

3. Sign the CSR ON THE LINUX BOX… * Sign the CSR (all of this on one line)

4. Install self-signed certificate ON THE IIS BOX… * Open the Internet Manager * Select the site to install the key * Right-click and choose properties * Select the “Directory Security” tab * Click the “Server Certificate” button * Specify that you want to complete the pending request * Select the .crt file that you just transferred

That’s it!

Now…here’s the updated info, with special thanks to David MacKenzie:David’s comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable–thanks! (I found them by google.) There’s one subtlety I’d like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn’t connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I’m using Windows 2000 SP3 and Exchange 2000 SP3.

In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For a commercial web site, you will probably want to purchase a certificate signed by a well-known root CA. For Intranet or special-purpose uses like this, you can be your own CA. This is done with the OpenSSL tools.

Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys:

[root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Kentucky Locality Name (eg, city) [Newbury]:Fayette County Organization Name (eg, company) [My Company Ltd]:VanEmery.Com Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, your name or your server’s hostname) []:VanEmery.Com CA Email Address []:hostmaster@vanemery.com

[root]# openssl x509 -in my-ca.crt -text -noout

Notes: The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime. The third command lets you view the completed certificate. Make sure that you keep the password in a safe place, you will need this every time you sign another certificate! You will probably also want to make backups of the cert and key and lock them in a safe place.

Step 2: Make a key and a certificate for the web server:

Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then “sign” the certificate request with the CA key we made in Step 1. You can make keys for multiple web servers this way. One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers.

[root]# openssl req -new -key mars-server.key -out mars-server.csr Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taipei County Locality Name (eg, city) [Newbury]:Nankang Organization Name (eg, company) [My Company Ltd]:VanEmery.Com Organizational Unit Name (eg, section) []:Web Services Common Name (eg, your name or your server’s hostname) []:mars.vanemery.com <=== This must be the real FQDN of your server!!! Email Address []:hostmaster@vanemery.com

Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:

How to make Apache working with OWA (OutLook web access), using mod_proxy.

Table of Content:

1. The purpose of the document 2. What we need 3. Configuration 4. TroubleShooting.

1. PURPOSE OF THE DOCUMENT

Sometimes someone ask us to make possible to access his e-mail account from Internet. In best cases we can use a simple and powerful web-mail, but in worst cases we MUST use OWA, AKA Outlook Web Access.

The problem is twice:

1) Using Exchange server 5.5 or 2000 in normal edition we can’t separate OWA from the Exchange Machine. 2) Using OWA, we MUST use IIS that we know suxXXs in security.

So, to avoid these problems we can use Apache mod_proxy to:

+ Separate services to a FrontEnd <-> BackEnd scenario + Putting IIS in a DMZ and make that most attacks were made to the front-end Apache (that is better).

The purpose of this document is how to install and, of course, make work Apache mod_proxy to make possible to access OWA trought IIS.

The scenario we’ll be:

Client —-> Apache (mod_proxy) <——> IIS-Exchange

2. WHAT WE NEED

Naturally we need:

+ A Working Exchange 2000/5.5 installation + A Working IIS + SSL maximum patchlevel with OWA correctly installed on the same Exchange machine + A working ApacheII with SSL and mod_proxy support on another Machine

3. Configuration

Ok, let’s go.

The configuration to make all these work is quite simple, but include a work-around. OWA infact return FQDN urls to the client; so we must make that the client always think to connect to the apache, and the Apache always think to connect to the IIS server for the same domain name! Better explanation will be parsing configuration files 🙂

For security reasons we’ll configure all using SSL connections, so there will be a Secure Connection between Client and Apache, and between Apache and IIS, so no data go on the net unencrypted. This is important thing because as Microsoft says in Q29661 Article, only Basic Authentication is possible between front-end back-end, also if front-end is IIS and not Apache. By the way… using Integrated Windows Authentication with ourconfiguration will make IE not work 🙂

We can configure our wonderful apache server machine. I suggest to use the httpd’ latest version. Naturally we assume that the reader has any experiences with Virtual Hosts, normal and SSL Based, for further information please read Apache documentation.

For firts we assume that the scenario is you have a public or private domain, (Ex. owa.myexistentdomain.com) so in your DNS you must translate this domain to the Apache IP Address (could be public or private) .

After that you MUST put into the /etc/hosts file of the apache machine this string:

For first thing I suggest to try different browsers instead of IE that is buggy. Doing this configuration I find out that forcing SSLv3 with HIGH encryption, Netscape works but IE will NOT WORK saying the stupid error “Navigation Cancelled” 😀 (thank you Mr. Bill… you make me happy).

After that try this:

+ Try to connect directly to IIS to ensure that is not an IIS or OWA problem + Pinging from a client owa.myexistentdomain.com I reach the apache IP Address. + Pinging from The apache Server owa.myexistentdomain.com I reach the Exchange-IIS IP Address. + Both Apache and IIS Certificates are valid and built on the owa.myexistentdomain.com Common Name + Try to disable NTLM Auth, sometimes IE is more stupid that he would appear. + Recontrol Apache and IIS Configuration

+ Try to sniff the traffic to manage what it is going on!!!!

Best Regards,

Federico ego_pfe@xxxxxxxxx

Credits: I must say thank to buzzzo, without him my lamerness would take windward 😉